automated using CodeQL for VSCode extension

2025-12-18 01:33:15 +01:00 · 2022-03-23 09:37:45 +08:00
parent f2728f5284
commit 6a6cd61d83
1 changed files with 23 additions and 31 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
@@ -1,9 +1,9 @@
 /**
 * @name Linux kernel double-fetch vulnerability detection
- * @description Double-fetch is a very common vulnerability pattern 
- *              in linux kernel, attacker can exploit double-fetch 
- *              issues to obatain root privilege. 
- *              Double-fetch is caused by fetching data from user 
+ * @description Double-fetch is a very common vulnerability pattern
+ *              in linux kernel, attacker can exploit double-fetch
+ *              issues to obatain root privilege.
+ *              Double-fetch is caused by fetching data from user
 *              mode by calling copy_from_user twice, CVE-2016-6480
 *              is quite a good example for your information.
 * @kind problem
@@ -17,36 +17,28 @@
 import cpp
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering

-class CopyFromUserFunctionCall extends FunctionCall{
-    CopyFromUserFunctionCall(){
-        this.getTarget().getName() = "copy_from_user"
-        and not this.getArgument(1) instanceof AddressOfExpr
-    }
-
-   
-
-    predicate hasSameArguments(CopyFromUserFunctionCall another) {
-        globalValueNumber(this.getArgument(0)) = globalValueNumber(another.getArgument(0))
-        and globalValueNumber(this.getArgument(1)) = globalValueNumber(another.getArgument(1))
-    }
+class CopyFromUserFunctionCall extends FunctionCall {
+  CopyFromUserFunctionCall() {
+    this.getTarget().getName() = "copy_from_user" and
+    not this.getArgument(1) instanceof AddressOfExpr
+  }

+  predicate hasSameArguments(CopyFromUserFunctionCall another) {
+    globalValueNumber(this.getArgument(0)) = globalValueNumber(another.getArgument(0)) and
+    globalValueNumber(this.getArgument(1)) = globalValueNumber(another.getArgument(1))
+  }
 }

 from CopyFromUserFunctionCall p1, CopyFromUserFunctionCall p2
 where
-    not p1 = p2
-    and p1.hasSameArguments(p2)
-    and exists(IfStmt ifStmt| 
-        p1.getBasicBlock().getAFalseSuccessor*() = ifStmt.getBasicBlock()
-        and ifStmt.getBasicBlock().getAFalseSuccessor*() = p2.getBasicBlock()
-    )
-    and not exists(AssignPointerAddExpr assignPtrAdd |
-        globalValueNumber(p1.getArgument(1)) = globalValueNumber(assignPtrAdd.getLValue())
-        and p1.getBasicBlock().getAFalseSuccessor*() = assignPtrAdd.getBasicBlock()
-    )
-
+  not p1 = p2 and
+  p1.hasSameArguments(p2) and
+  exists(IfStmt ifStmt |
+    p1.getBasicBlock().getAFalseSuccessor*() = ifStmt.getBasicBlock() and
+    ifStmt.getBasicBlock().getAFalseSuccessor*() = p2.getBasicBlock()
+  ) and
+  not exists(AssignPointerAddExpr assignPtrAdd |
+    globalValueNumber(p1.getArgument(1)) = globalValueNumber(assignPtrAdd.getLValue()) and
+    p1.getBasicBlock().getAFalseSuccessor*() = assignPtrAdd.getBasicBlock()
+  )
 select p2, "Double fetch vulnerability. First fetch was $@.", p1, p1.toString()
-
-
-
-